Security Concerns in Roundcube Webmail

Security experts have discovered several vulnerabilities in the Roundcube webmail program that could allow attackers to inject malicious JavaScript into a user’s browser, leading to the theft of sensitive data from their account.

You might be interested in: Over a Million Domains Exposed to Hijacking

According to a report from the cybersecurity firm Sonar, “when a victim views a malicious email in Roundcube, sent by an attacker, the attacker can run arbitrary JavaScript in the victim’s browser.”

These vulnerabilities could let attackers steal emails, contacts, the victim’s email password, and even send emails from the victim’s account.

Patch Released for Roundcube

Roundcube versions 1.6.8 and 1.5.8, released on August 4, 2024, address three identified vulnerabilities that were responsibly disclosed on June 18, 2024. The vulnerabilities include:

• CVE-2024-42008: This is a cross-site scripting (XSS) vulnerability in the Content-Type header of a malicious email attachment.
• CVE-2024-42009: An XSS vulnerability arising from the post-processing of cleaned HTML text.
• CVE-2024-42010: A vulnerability caused by insufficient CSS filtering, leading to information leakage.

If these vulnerabilities are exploited, attackers can steal emails and contacts, send emails from the victim’s account, and gain continuous access to the victim’s browser, even after it is restarted.

Exploitation Details

According to Oskar Zeino-Mahmalat, exploiting the main XSS vulnerability (CVE-2024-42009) requires only that the victim views the email. For CVE-2024-42008, the victim must click once, but the attacker can hide this interaction from the user.

Details on these vulnerabilities have been withheld to give users time to update to the latest version and to prevent exploitation by nation-state actors like APT28, Winter Vivern, and TAG-70, who have a history of targeting webmail software vulnerabilities.

Additional Security Issue in RaspAP Project

In related news, a severe local privilege escalation vulnerability (CVE-2024-41637) has been discovered in the open-source RaspAP project. With a maximum CVSS score of 10.0, this flaw allows attackers to elevate their access to root and execute critical commands. Version 3.1.5 has been released to fix this issue.

A vulnerability researcher known as 0xZon1 explained, “the www-data user has write access to the restapi.service file and sudo privileges to execute several critical commands without a password. This combination allows an attacker to modify the service to run arbitrary code with root privileges, escalating their access from www-data to root.”

Conclusion

It’s crucial for users of Roundcube and RaspAP to update their software to the latest versions immediately to protect against these vulnerabilities. Cybersecurity threats are continuously evolving, and staying up-to-date with the latest patches is a vital part of maintaining security. Regularly updating software and being cautious about email attachments and links are essential practices to prevent exploitation by attackers.